[dnsdist] Only answer queries for subdomain from certain IPs?
remi.gacogne at powerdns.com
Tue Jun 23 10:09:31 UTC 2020
On 6/22/20 7:04 PM, Jason Bailey via dnsdist wrote:
> So I want to put dnsdist in front of all of my recursor and my auth
> servers and make sure that a given subdomain basically only exists when
> queried by a given IP or set of IPs.
> For example, suppose I have the subdomain my.example.com. If a client
> from my allowed list queries dnsdist for my.example.com, it passes it
> through to the recursor or auth server (whatever makes sense for that
> given circumstance) and returns the answer accordingly. If, on the other
> hand, a client that isn't on my allowed list happens to query dnsdist
> for that same subdomain, dnsdist responds to the client that the domain
> my.example.com doesn't exist and subsequently does not pass it through
> to recursor or auth. If it's for any other subdomain
> (ftp.example.com or whatever), dnsdist should just pass it through as
> usual and let recursor or auth handle it as it would.
> Can dnsdist do that effectively? If so, how would I go about it?
Yes, you would need to combine two rules to match the client source and
the requested domain, for example:
nmg = newNMG()
suffixes = newSuffixMatchNode()
That would match clients not coming from 192.0.2.0/24 or 2001:DB8::/32
and requesting a name below or at powerdns.com, sending a NXDOMAIN
answer to them.
In 1.5.0 (currently in release candidate state) we introduced the
SetNegativeAndSOAAction action  which would be a bit better than the
RCodeAction for that use case since it would also send back a SOA record
in the response, but RCodeAction should also be fine.
The same kind of logic can be used with PoolAction() to route queries to
an authoritative server or a recursive server depending on the requested
PowerDNS.COM BV - https://www.powerdns.com/
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 488 bytes
Desc: OpenPGP digital signature
More information about the dnsdist